GPExpert Desktop Policy Manager

Executive Summary: GPExpert Desktop Policy Manager from SDM Software makes working with Microsoft Windows' Group Policy feature much easier and provides a tool for ongoing management of existing and new policies. DPM installs quickly and easily on 32-bit servers but does not currently support 64-bit servers. The product makes creating and targeting complex Group Policy Objects easy, but experienced Group Policy users won’t as get as much value from the software as inexperienced users wills.

PROS: Quick install; creates complex GPOs quickly and easilyCONS: No 64-bit version; somewhat pricey; not much value for experienced GPO users RATING: 3 of 5PRICE: $625 for up to 25 desktops; volume discounts available RECOMMENDATION: Desktop Policy Manager is a good choice for those who need to deploy desktop management policies without learning the nuances of Group Policy; Group Policy veterans might not get much value from the softwareCONTACT: SDM Software · 415-670-9302 · www.sdmsoftware.com

Group Policy is invaluable for managing Windows client systems in a business environment, but like many Microsoft tools, its power and granularity make it complex and difficult to understand and work with. If you don't understand how Group Policy works, you can easily create GPOs that don't have the intended effect, which can be disastrous. GPExpert Desktop Policy Manager (DPM) from SDM Software attempts to make getting started with and managing client system policies easier and helps you create policies that actually do what you need them to do. I downloaded a copy of DPM 1.0 and put it through its paces to see how easy and functional it really is.

Installation DPM consists of two components—the DPM Service and the DPM Web Portal—each with its own prerequisites. You can choose to install the components on one server or place the portal on an existing web server. All the prerequisites are standard Microsoft tools or frameworks available for free download—Microsoft .NET Framework 2.0, Group Policy Management Console, and PowerShell 1.0 for the DPM service and .NET Framework 2.0 and Microsoft IIS with ASP.NET for the web portal.

I first tried to install DPM on a system running Windows Server 2003 x64 Edition, but after I ran into some problems, an SDM representative told me something that the documentation didn't: A 64-bit version of DPM is not currently available. I then installed the product on a 32-bit Windows 2003 R2 system and had no further problems.

When prompted, I provided an Active Directory account that had permissions to create, edit, delete, and link Group Policy Objects (GPOs). The installation created two groups: Desktop Policy Manager Approvers and Desktop Policy Manager Users. You populate these groups to specify who can create profiles in DPM and who can approve them. The installation also created program icons for the DPM Web Portal and DPM Administrative Web Portal, which is used for adding and removing DPM servers. The entire install process took only a couple of minutes.

Creating Profiles I launched the DPM Web Portal and selected the Create Profile button. DPM uses "profiles" to refer to a particular group of policy settings. Creating a profile is a four-step, wizard-driven process. First, you specify a name, description, and scope (per user or per computer) for the profile. You then select one or more templates to determine which settings will be available for configuration through the profile. In the third step, you specify the actual settings that will define the GPO; if you selected more than one template in the second step, each template’s settings are displayed in a separate tab. Finally, you configure the target or targets to which the new GPO will apply. A target can be a domain, organizational unit, user, or computer.

DPM provides useful per-user and per-computer templates that you can use to easily manage clients via Group Policy. For example, there are templates for software deployment, group memberships, drive and printer mappings, and Internet browser security.

The value of DPM lies in its use of profiles to configure policies. Profiles collect the applicable settings in one place and let you configure them without having to navigate the Microsoft tools and know which settings you need and where to find them. Because DPM requires you to use profiles to create GPOs, novice systems administrators and those who are not well versed in Group Policy will find this product very helpful. Veteran admins who are adept with Group Policy probably don't have as much to gain.

Workflow DPM uses a workflow methodology for GPO submission and approval. Members of the Desktop Policy Users Group can create GPOs, which are then submitted by default to the Desktop Policy Approvers Group for approval. You can make one person a member of both groups to streamline the process for small organizations. If a profile is rejected, you can modify it and resubmit it for approval.

The left pane of the DPM interface, shown in Figure 1, lists all profiles and their status: waiting for approval, rejected, in edit mode, or active. When you click the arrow icon to the right of a profile, you see four options: edit, run a profile wizard (to change the profile's target or add templates), clone a profile, and delete the profile.

Analysis I used DPM to create an array of GPOs and tested the workflow elements using different accounts. Overall, I quickly learned to use the tool and was impressed with the ease with which complex GPOs can be created and targeted to user and computer objects. Much of DPM's value is in the foundational knowledge of policy settings that the GPExpert team has built into it. This knowledge pays off by letting you create GPOs quickly and knowing you have an appropriately configured policy.

This product is a good choice for administrators whose time is stretched or who need to deploy desktop management policies without learning the nuances of Group Policy and its thousands of settings. DPM lets admins easily set and enforce standards for numerous important desktop configuration items. If you're already a Group Policy veteran, however, you might not get much bang for your buck